Email deliverability is a minefield. If you’re sending anything important—newsletters, transactional messages, alerts—you can’t afford to have your emails end up in spam or get silently discarded. DKIM and SPF are the two records you have to get right, especially when using an email service like Mailgun. This guide is for anyone who wants to set up DKIM and SPF records in Mailgun without pulling their hair out, whether you’re an engineer, sysadmin, or the unofficial “email person” on your team.
Let’s cut the nonsense and get your emails delivered.
Why DKIM and SPF Actually Matter
Before diving into setup, let’s get clear about what these are—and what they are not.
- SPF (Sender Policy Framework): Tells the world which mail servers can send on behalf of your domain. It’s a DNS TXT record—basically a list of “allowed senders.”
- DKIM (DomainKeys Identified Mail): Lets Mailgun sign your emails with a cryptographic key. This proves the email wasn’t tampered with and really came from your domain.
- DMARC: Not the focus here, but worth knowing. It builds on SPF and DKIM to give you more control and reporting.
What they don’t do:
SPF and DKIM don’t guarantee delivery or keep you out of spam. But if you mess them up, you can almost guarantee problems. Some ISPs will flat-out drop unsigned or unauthenticated mail. Others will quietly spam-folder your stuff.
Step 1: Prep Your Domain for Mailgun
First things first: pick the right domain. Don’t use your main domain for bulk or marketing emails. If you send receipts from yourapp.com, don’t blast your newsletter from the same domain. Mailgun lets you set up subdomains (like mg.yourapp.com). This helps isolate issues and keeps your main domain’s reputation clean.
Pro tip:
If you’re just testing, Mailgun offers a sandbox domain. That won’t work for real production emails—don’t skip setting up your own domain.
Step 2: Get the DKIM and SPF Records from Mailgun
Once you add your domain in Mailgun, it generates the DNS records for you. This is the part most people overcomplicate.
- Log in to Mailgun and add your sending domain.
- Mailgun will show you the DKIM and SPF records it wants you to add. Don’t copy-paste from some random tutorial; use the ones from your account dashboard.
- You’ll see:
- An SPF record (TXT) for your root domain or subdomain.
- One or more DKIM records (TXT) with a selector like
krs._domainkey.yourdomain.com.
Ignore:
Anything labeled “MX” unless you plan to receive mail at this domain. If you’re only sending, focus on TXT (DKIM and SPF).
Step 3: Add the Records to Your DNS
This is where things go wrong for most people. Here’s how to avoid the usual pitfalls:
Adding SPF
- If you already have an SPF record, don’t add a second one. SPF only works if there’s one record per domain. Instead, merge the Mailgun rule into your existing SPF.
- Mailgun usually suggests:
v=spf1 include:mailgun.org ~all
If you send mail from other sources (Gmail, SendGrid, etc.), make sure they’re all included.
- Keep it to one v=spf1 record per domain.
Example merged SPF:
v=spf1 include:_spf.google.com include:mailgun.org ~all
Adding DKIM
- Mailgun gives you a DKIM record with a selector (e.g.
krs._domainkey). The host/name in your DNS should match exactly. - Paste the entire DKIM value Mailgun gives you. Don’t add, remove, or reformat anything.
- If your DNS provider auto-adds your domain to the host field, don’t duplicate it. For example, if your provider appends
.yourdomain.com, just use the selector.
Common mistakes to avoid:
- Wrong host/selector: Double-check. If Mailgun says krs._domainkey.yourdomain.com, make sure that’s exactly what you create.
- Line breaks: DKIM keys can be long. Paste them as a single line unless your DNS provider says otherwise.
- Propagation: Changes can take hours. Don’t panic if Mailgun still says “unverified” right away.
Step 4: Verify in Mailgun
Head back to Mailgun and hit the “Check DNS Records” or “Verify” button for your domain. If all’s well, you’ll see green checkmarks. If not, double-check:
- Typos in the record values.
- Wrong host/selector (seriously, 90% of issues are here).
- DNS hasn’t updated yet—wait a bit, then try again.
If you’re stuck, use third-party tools like MXToolbox to check that your records are visible publicly.
Step 5: Test Real-World Delivery
Just because Mailgun says “verified” doesn’t mean your emails are landing in inboxes.
- Send test messages to personal Gmail, Outlook, and Yahoo addresses.
- Check the raw headers. Make sure
spf=passanddkim=passshow up. - If you see “neutral” or “softfail,” double-check your SPF.
- If DKIM fails, it’s almost always a problem with the selector or a copy-paste issue.
Ignore:
Spam scores from obscure tools. Focus on the big providers (Gmail, Outlook) since they set the tone for everyone else.
Step 6: Maintain and Monitor
Once things are working, you can mostly ignore them—but check in once in a while.
- When you add new mail services, update your SPF record. Don’t just keep adding new ones—merge them.
- If you rotate DKIM keys (rare, but good hygiene), update your DNS.
- If you set up DMARC, watch the reports for authentication failures. DMARC is optional but can help you catch issues early.
Don’t get suckered into overcomplicated setups or “deliverability optimization” services unless you really need them. Clean records, solid content, and good sending practices go further than expensive tricks.
Frequently Asked Questions
Q: Can I use the same domain for Mailgun and other email services?
A: Yes, but merge all your SPF rules into one record. For DKIM, each service uses its own selector—just add all needed DKIM records.
Q: Can I use wildcard DNS entries?
A: No. DKIM and SPF need explicit records. Wildcards won’t work for authentication.
Q: Do I need to set up DMARC too?
A: It’s not required, but it’s a good next step once SPF and DKIM are working. DMARC helps you spot and block abuse.
Keep It Simple, Iterate as Needed
You don’t need to become a DNS wizard to get this right. Use the exact records Mailgun gives you, merge SPF rules carefully, and double-check selectors. Most problems are simple typos or copy-paste mistakes. Keep things as simple as possible, test real emails, and tweak as you go. If you run into trouble, don’t overthink it—go back to basics and verify each step. Happy sending.